Added support for sys.server_permissions and sys.sql_logins views. #3538
Conversation
Signed-off-by: Shreya Rai <[email protected]>
Signed-off-by: Shreya Rai <[email protected]>
Signed-off-by: Shreya Rai <[email protected]>
Pull Request Test Coverage Report for Build 13915600009Warning: This coverage report may be inaccurate.This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.
Details
💛 - Coveralls |
Signed-off-by: Shreya Rai <[email protected]>
Signed-off-by: Shreya Rai <[email protected]>
Signed-off-by: Shreya Rai <[email protected]>
| WHERE datname = CURRENT_DATABASE() COLLATE sys.database_default | ||
| ) | ||
| ) | ||
| CROSS JOIN |
There was a problem hiding this comment.
These joins could be simplified as suggested offline.
There was a problem hiding this comment.
Okay, I will fix this in next commit.
Signed-off-by: Shreya Rai <[email protected]>
| @@ -1,18 +1,22 @@ | |||
| USE master | |||
| -- tsql | |||
| CREATE LOGIN sys_server_permissions_vu_login1 with password = '123' | |||
There was a problem hiding this comment.
Add tests with window login.
CREATE LOGIN [ad\Aduser] from windows;
| OR pg_has_role(sys.suser_id(), 'securityadmin'::TEXT, 'MEMBER') | ||
| OR Ext.orig_loginname = sys.suser_name() | ||
| OR Ext.orig_loginname = (SELECT pg_get_userbyid(datdba) FROM pg_database WHERE datname = CURRENT_DATABASE()) COLLATE sys.database_default) | ||
| AND Ext.type IN ('S'); |
There was a problem hiding this comment.
Yes, I'll make these changes
Signed-off-by: Shreya Rai <[email protected]>
Signed-off-by: Shreya Rai <[email protected]>
Signed-off-by: Shreya Rai <[email protected]>
| WHERE (pg_has_role(sys.suser_id(), 'sysadmin'::TEXT, 'MEMBER') | ||
| OR pg_has_role(sys.suser_id(), 'securityadmin'::TEXT, 'MEMBER') | ||
| OR Base.rolname = sys.suser_name() COLLATE sys.database_default | ||
| OR Base.rolname = Master.rolname) |
There was a problem hiding this comment.
OR Base.rolname = Master.rolname)
This means when grantee and grantor are same. Why is this check needed? Which case do we cover with this check?
There was a problem hiding this comment.
CREATE OR REPLACE VIEW sys.server_permissions
AS
SELECT
CAST(100 AS sys.tinyint) AS class,
CAST('SERVER' AS sys.nvarchar(60)) AS class_desc,
CAST(0 AS int) AS major_id,
CAST(0 AS int) AS minor_id,
CAST(Base.oid AS INT) AS grantee_principal_id,
CAST((SELECT oid FROM pg_catalog.pg_roles WHERE rolname =
(SELECT pg_get_userbyid(datdba) FROM pg_database WHERE datname = CURRENT_DATABASE())
) AS INT) AS grantor_principal_id,
CAST('COSQ' AS sys.BPCHAR(4)) AS type,
CAST('CONNECT SQL' AS sys.nvarchar(128)) AS permission_name,
CAST('G' AS sys.BPCHAR(1)) AS state,
CAST('GRANT' AS sys.nvarchar(60)) AS state_desc
FROM pg_catalog.pg_roles AS Base
INNER JOIN sys.babelfish_authid_login_ext AS Ext ON Base.rolname = Ext.rolname
WHERE (pg_has_role(sys.suser_id(), 'sysadmin'::TEXT, 'MEMBER')
OR pg_has_role(sys.suser_id(), 'securityadmin'::TEXT, 'MEMBER')
OR Base.rolname = sys.suser_name() COLLATE sys.database_default
OR Base.rolname = (SELECT pg_get_userbyid(datdba) FROM pg_database WHERE datname = CURRENT_DATABASE()))
I think we can get rid of an INNER JOIN for Grantor information.
|
|
||
| -- tsql user=sys_sql_logins_vu_login1 password=123 | ||
| SELECT * FROM dbo.sys_sql_logins_vu_prepare_view | ||
| GO |
There was a problem hiding this comment.
Please add tests to check other columns of the view like is_policy_checked, is_expiration_checked etc.
| SELECT * FROM sys_server_permissions_vu_prepare_view | ||
| GO | ||
| ~~START~~ | ||
| varchar#!#nvarchar#!#nvarchar#!#nvarchar |
There was a problem hiding this comment.
Add tests to cover all the columns in the view.
There was a problem hiding this comment.
Added few more columns in the test files.
| CASE | ||
| WHEN Ext.type = 'S' THEN 'SQL_LOGIN' | ||
| WHEN Ext.type = 'R' THEN 'SERVER_ROLE' | ||
| WHEN Ext.type = 'U' THEN 'WINDOWS_LOGIN' | ||
| ELSE NULL | ||
| END |
There was a problem hiding this comment.
We have a condition below AND Ext.type = 'S', so these cases are invalid. type_desc can only be SQL_LOGIN
Signed-off-by: Shreya Rai <[email protected]>
Signed-off-by: Shreya Rai <[email protected]>
| @@ -1,31 +1,99 @@ | |||
| USE master | |||
There was a problem hiding this comment.
Reset the passoward of logins at the top.
| AS | ||
| SELECT | ||
| CAST(100 AS sys.tinyint) AS class, | ||
| CAST('SERVER' AS sys.nvarchar(60)) AS class_desc, |
There was a problem hiding this comment.
Is the value of class_desc is SERVER for windows logins as well?
| CAST(Ext.credential_id AS INT) AS credential_id, | ||
| CAST( | ||
| CASE | ||
| WHEN Ext.orig_loginname = (SELECT pg_get_userbyid(datdba) FROM pg_database WHERE datname = CURRENT_DATABASE()) COLLATE sys.database_default THEN 0 |
There was a problem hiding this comment.
repetitive call of SELECT pg_get_userbyid(datdba) FROM pg_database WHERE datname = CURRENT_DATABASE()) optimize it.
There was a problem hiding this comment.
Made the required changes.
| @@ -0,0 +1,51 @@ | |||
| -- tsql | |||
There was a problem hiding this comment.
- Add cases for scenarios where login is member of multiple fixed server roles for both the testfiles.
- Add negative testcases to show server roles are not being displayed in sql_logins view.
Signed-off-by: Shreya Rai <[email protected]>
Signed-off-by: Shreya Rai <[email protected]>
Signed-off-by: Shreya Rai <[email protected]>
Signed-off-by: Shreya Rai <[email protected]>
Signed-off-by: Shreya Rai <[email protected]>
Signed-off-by: Shreya Rai <[email protected]>
Signed-off-by: Shreya Rai <[email protected]>
Signed-off-by: Shreya Rai <[email protected]>
| ELSE NULL | ||
| END | ||
| AS sys.varbinary(256)) AS password_hash | ||
| FROM sys.server_principals AS Base |
There was a problem hiding this comment.
from performance pov I think we should not fetch columns from view server_principals rather it should be fetched from base catalog itself. Let's get @HarshLunagariya's opinion on this.
There was a problem hiding this comment.
Can you please provide the execution plan for both variations for analyze?
| CREATE OR REPLACE VIEW sys.server_permissions AS | ||
| WITH super_user AS (SELECT datdba AS super_user FROM pg_database WHERE datname = CURRENT_DATABASE()) | ||
| SELECT | ||
| CAST(100 AS sys.tinyint) AS class, |
There was a problem hiding this comment.
When does it return 101 class id server permission?
There was a problem hiding this comment.
100 = Server, 101 = Server-principal, 105 = Endpoint, 108 = Availability Group
| CAST('COSQ' AS sys.BPCHAR(4)) AS type, | ||
| CAST('CONNECT SQL' AS sys.nvarchar(128)) AS permission_name, | ||
| CAST('G' AS sys.BPCHAR(1)) AS state, | ||
| CAST('GRANT' AS sys.nvarchar(60)) AS state_desc |
There was a problem hiding this comment.
For super_user, Shouldn't it show GRANT_WITH_GRANT_OPTION ? Since super_user can grant this privilege to others as per ideal T-SQL behaviour, Although we don't support it granting.
There was a problem hiding this comment.
I compared it against TSQL behaviour, for super_user, it shows GRANT permission only.
| WHERE(pg_has_role(sys.suser_id(), 'sysadmin'::TEXT, 'MEMBER') | ||
| OR pg_has_role(sys.suser_id(), 'securityadmin'::TEXT, 'MEMBER') | ||
| OR Base.rolname = sys.suser_name() COLLATE sys.database_default | ||
| OR Base.rolname = (SELECT pg_get_userbyid(super_user) FROM super_user)) |
There was a problem hiding this comment.
Do we really need OR Base.rolname = (SELECT pg_get_userbyid(super_user) FROM super_user)) , if we have (pg_has_role(sys.suser_id(), 'sysadmin'::TEXT, 'MEMBER') already? Won't it cover super_user as well?
There was a problem hiding this comment.
No it doesn't, we have to use Base.rolname = (SELECT pg_get_userbyid(super_user) FROM super_user)
| CAST('CO' AS sys.BPCHAR(4)) AS type, | ||
| CAST('CONNECT' AS sys.nvarchar(128)) AS permission_name, | ||
| CAST('G' AS sys.BPCHAR(1)) AS state, | ||
| CAST('GRANT' AS sys.nvarchar(60)) AS state_desc; | ||
| GRANT SELECT ON sys.server_permissions TO PUBLIC; |
There was a problem hiding this comment.
Are there any other permission which needs to be supported? have we analysed all of them if they are supported in Babelfish?
There was a problem hiding this comment.
Since GRANT permission is not supported in Babelfish, I have only incorporated the default permissions which exist by default i.e. CONNECT SQL for each SQL and WINDOW logins and CONNECT for public via TSQL Default TCP endpoint.
| WHERE(pg_has_role(sys.suser_id(), 'sysadmin'::TEXT, 'MEMBER') | ||
| OR pg_has_role(sys.suser_id(), 'securityadmin'::TEXT, 'MEMBER') | ||
| OR Base.name = sys.suser_name() | ||
| OR Base.name = (SELECT super_user FROM super_user)) |
There was a problem hiding this comment.
Same as
Do we really need OR Base.rolname = (SELECT pg_get_userbyid(super_user) FROM super_user)) , if we have (pg_has_role(sys.suser_id(), 'sysadmin'::TEXT, 'MEMBER') already? Won't it cover super_user as well?
| CAST( | ||
| CASE | ||
| WHEN Base.name = (SELECT super_user FROM super_user) THEN 0 | ||
| ELSE 1 | ||
| END | ||
| AS sys.BIT) AS is_policy_checked, |
There was a problem hiding this comment.
Just asking out of curiosity, Why does is_policy_checked column return 0 for superuser, Although password is checked for superuser as well.
There was a problem hiding this comment.
It is as per TSQL, is_policy_checked column returns 0 for superuser.
| ELSE NULL | ||
| END | ||
| AS sys.varbinary(256)) AS password_hash | ||
| FROM sys.server_principals AS Base |
There was a problem hiding this comment.
Can you please provide the execution plan for both variations for analyze?
Signed-off-by: Shreya Rai <[email protected]>
Description
This PR adds full support for
sys.server_permissionsandsys.sql_loginsviews, addressing a current limitation in Babelfish. The implementation includes essential system viewssys.server_permissionsandsys.sql_loginsrequired for comprehensive login export capabilities. This enhancement enables users to view server permissions and details about the logins in Babelfish, maintaining compatibility with TSQL Server syntax.Added Components
Views:
sys.server_permissions: For managing server-level permissions
sys.sql_logins: For managing SQL Server authentication logins
BABEL-5654
Signed-off-by: Shreya Rai [email protected]